Leak and Learn: An Attacker's Cookbook to Train Using Leaked Data from Federated Learning
This work addresses privacy vulnerabilities in federated learning for users and practitioners, showing that even imperfectly reconstructed data can enhance malicious training, though it is incremental as it builds on prior attack methods.
The paper tackles the problem of data reconstruction attacks in federated learning by investigating whether leaked data from such attacks can be used to train models more effectively than benign strategies, finding that both gradient inversion and linear layer leakage attacks can improve training accuracy despite limited reconstruction quality or small amounts of leaked data.
Federated learning is a decentralized learning paradigm introduced to preserve privacy of client data. Despite this, prior work has shown that an attacker at the server can still reconstruct the private training data using only the client updates. These attacks are known as data reconstruction attacks and fall into two major categories: gradient inversion (GI) and linear layer leakage attacks (LLL). However, despite demonstrating the effectiveness of these attacks in breaching privacy, prior work has not investigated the usefulness of the reconstructed data for downstream tasks. In this work, we explore data reconstruction attacks through the lens of training and improving models with leaked data. We demonstrate the effectiveness of both GI and LLL attacks in maliciously training models using the leaked data more accurately than a benign federated learning strategy. Counter-intuitively, this bump in training quality can occur despite limited reconstruction quality or a small total number of leaked images. Finally, we show the limitations of these attacks for downstream training, individually for GI attacks and for LLL attacks.